Comparar la sensibilidad de detectar nuevo cliente de abandono de cada estrategia

cality Inversion Problem

The classical real-time scheduling community usually represent a task τiby using

three-parameters as follows [26]:

τi = hPi, Di, Cii

in which Pi represents the period, Di the deadline and finally the Ci is the

WCET. In such model, the scheduling decisions are made not considering the criticality of jobs but only the requirements indicated by a priority to determine what job has to be executed next. The priorities are usually assigned with the purpose of maximizing the schedulable utilization in order to respect the deadlines of all jobs within a job set. The utilization maximization approach of traditional real-time scheduling typically makes two important assumptions [13]: 1. All tasks are equally important and consequently also all jobs are equally

2. The utilization never goes beyond the allowable thresholds.

A remarkable way that scheduling analysis has been extended in the recent years considers the removal of assumption that all tasks and jobs that have to be scheduled have the same level of criticality [57, 13]. Moreover, the second as- sumption does not hold as there is the possibility that some jobs go beyond their specified Ci. The presence of criticality as task property has led to devise novel

and more appropriate models in which one or more task paramaters can change according to the required level of assurance. Most of time, such models deal with systems having tasks that could be of high criticality or of low criticality, indicated in this dissertation as HI or LO tasks. The HI tasks have two WCET estimates, one optimistic and the other more conservative, indicated respectively by CLO and CHI. Within mixed-criticality systems, if there is ever a situation

where it is possible satisfying the deadline of only one job, it is always expected to meet first the one of the higher criticality job. When high criticality jobs go beyond their optimistic allowable threshold, then it is possible to have incoming non critical jobs that have higher scheduling priority. This usually leads to tran- sient faults and to a phenomenon named criticality inversion [13] in which high priority non critical jobs preempt low priority jobs that have a higher impact on the overall system correctness, e.g., with regard to safety, potentially leading the latter to miss their deadlines.

A very simple way to eliminate the criticality inversion is to simply assign priorities to tasks first according to their criticalities and then according to their timing requirements. This strategy is named Criticality Monotonic (CM) or Criticality As Priority Assignment (CAPA) [13]. This approach eliminates the criticality inversion in case a HI job overruns its CLO but it can lead to a very poor

utilization if the resulting task order turns out to be contrary to the best priority assignment to maximize utilization and it can generate priority inversions.

P D et C_LO C_HI L A 8 8 5 2 5 HI B 5 5 2 2 --- LO A0 B0 Time Tasks A0 misses its deadline 5 The HI job A0 overruns its CLO B1

Figure 3.1: Criticality inversion example: job A0 overruns its optimistic WCET,

it is preempted by the higher priority LO job B1 and misses its deadline.

deadlines which is scheduled with a standard real-time fixed-priority scheduler. Tasks A has criticality HI while task B has criticality LO. Priorities are assigned to tasks according to deadlines and jobs are processed using the the Deadline Monotonic (DM) algorithm. No jobs would miss their deadlines as long as they complete within their CLO estimates. However, the lack of a runtime protection

mechanism to ensure the completion of highly critical instances that exceed their optimistic time thresholds leads to a deadline missed. It is possibile to notice that the HI job A0 exceeds its optimistic WCET at time t = 4 and is preempted

by the higher priority LO job B1 at time t = 5. Because of this, A0 does not

complete within its deadline.

The final aim of mixed-criticality scheduling protocols is mainly that to pro- tect the HI jobs execution from the interference of higher priority LO jobs due to resource shortages. The current status of the art is that to prevent LO instances from preempting jobs with higher impact on the system correctness by aban- doning the first ones whenever the timeliness of latter in meeting their deadline is endangered. This approach guarantees that high criticality jobs meet their deadlines and complete their execution. However, LO tasks are still relevant and simply abandoning their instances means decreasing too much their service level. Therefore, deciding how to solve the criticality inversion problem basically means deciding how to degrade lower criticality tasks in favour of the most critical ones.

3.6

Fixed-Priority Mixed-Criticality Schedul-

ing

This section reviews the work that has been produced on the field of mixed- criticality scheduling algorithms that use fixed-priority assignment strategies on uniprocessor platforms.

In 2011, Baruah et al. extended the Vestal’s model by proposing the Adap- tive Mixed Criticality (AMC) together with response-time analysis techniques for constrained deadline dual-criticality task sets [69]. Such techniques have been recently extended to manage also sets of tasks with arbitrary deadlines [70]. The AMC scheduling algorithm requires a monitor to check how long each individ- ual job executes. The scheduling protocol works in two execution modes, high criticality and low criticality that are indicated respectively with HI and LO, as described below:

2. While Γ = LO, at each instant the waiting job generated by the task with highest priority is selected for execution.

3. If the currently executing job does not complete within its optimistic WCET estimate, then the system changes execution mode and Γ = HI. 4. Once Γ = HI, all low criticality jobs will not be executed. Henceforth, at

each instant the waiting job generated by the highest priority HI task is selected for execution.

5. An additional rule can specify the circumstances when Γ gets reset to LO, e.g., if no HI jobs are active at some instant in time.

In 2013, Li et al also extended the response time bound techniques and the AMC protocol to work with multiple criticality levels [71]. In 2017, Guo et al. studied the sustainability of various mixed-criticality scheduling tests both in uniprocessor and in multiprocessor systems and found that AMC-rtb is sustain- able with regard to all parameters, including the criticality level [72]. The AMC protocol assumes that once the system goes into the HI mode, then all LO task instances will be abandoned and the system will remain in that mode. However, the sudden discard of LO jobs during the HI mode can cause serious service in- terruptions and significant performance loss, especially for control systems where the performance of controllers is mainly affected by the execution frequency and period of control tasks [73]. To reduce the impact on lower criticality tasks, the AMC protocol switches back to the initial execution mode as soon as an idle instant occurs and all LO jobs can be processed again with their timely execution [69].

Going back to the LO starting mode only in case of idle instants leads to a high amount of jobs interrupted or abandoned and this is still not satisfactory. Different complementary ways of guaranteeing a higher level of service for LO tasks have been proposed, e.g., extending their periods and/or deadlines like in the elastic task model [74] or reducing their execution times by switching to a simpler version of the software [75].

The Priority May Change (PMC) strategy has been proposed to better man- age the situations in which higher priority LO tasks could preempt lower priority HI tasks in case of transient faults [76]. The AMC algorithm assigns a single pri- ority to each task by considering together both LO and HI criticality modes whereas PMC computes priorities in two steps. Firstly, priorities are assigned to the tasks according to some predefined policy like deadline monotonic as they would in a regular task system [32]. These priorities are used by the runtime

dispatcher while the system is in LO execution mode. Once the system switches to HI mode, HI task priorities are re-assigned according to a priority ordering policy that is optimal for tasks with release jitter [77].

In 2014 Fleming and Baruah proposed a scheme in which the system designers can assign to lower critical functionalities a utility that is used to decide in which order their instances have to be suspended during the HI mode [78]. Such method allows to the system designer to control how non-critical functionalities degrade after the critical ones overrun their optimistic time threshold. The utility value is assigned as an ordinal scale [79] to provide a predefined order in which LO task instances will be dropped, least important task instances will be dropped first. The authors adapt the Audsley’s priority assignment technique [80] to assign lower priority to lower utility LO tasks. Such protocol allows to increase performances for LO tasks and to process them for a significantly increased amount of time.

Somehow, the former methods considered so far allow for LO task invocations to execute after a criticality mode change but they are mainly best effort and do not have a predefined minimum threshold guaranteed for lower critical tasks. Since most hard real-time systems could miss some deadlines provided that it happens in a known and predictable way, the Adaptive Mixed Criticality with Weakly-Hard constraints (AMC-WH) was introduced in 2015 [81] and represents an extension of AMC [69] that integrates the notion of weakly-hard constraints. The definition of weakly-hard real-time system was given in 2001 [82] to indicate systems in which hard real-time tasks are permitted to miss some deadlines as long as the number of missed deadlines is strictly bounded. This work was based also on research on soft real-time systems [83, 84]. The AMC-WH is a scheduling policy that allows a number of consecutive instances per LO task to be skipped during the HI execution mode. This reduces the overall system load, frees more resources for safety-critical tasks and provides a degraded but guaranteed mini- mum quality of service for LO tasks upon a criticality mode change. The number of skips permitted and the number of subsequent deadlines that must be met can be a requirement deduced either from the design of a control algorithm[85] or from physical properties of the system. Empirical evaluations demonstrated that AMC-WH outperforms previous policies and accommodate the continued execu- tion of LO tasks without compromising the assurance requirements for HI tasks. However, as all former AMC-based methods, AMC-WH does not provide a fast recovery from the HI criticality mode since it is still necessary to wait for idle instants to go back to the starting LO execution mode.

new incoming LO jobs but the amount of instances aborted in case of resource shortage could be still very high since there is no control on when the idle instant will be. The Bailout Protocol (BP) improves AMC with the introduction of a fast and effective control mechanism to speed up the entering of the initial LO execution mode, called Normal mode [16, 17]. BP still has a HI execution represented by the Bailout and Recovery modes. The protocol aims to restore the Normal mode as soon as possible to minimize the number of LO jobs that miss their deadlines or are not executed at all. The Normal mode is restored not only at the occurrence of an idle instant but also according to the value of a Bailout Fund (BF) variable. The actual number of lower critical instances that will not be started depends on the size of BF, on number and execution time of LO instances and eventually on time needed for recovery. Once the system is back to the starting mode, all less critical functionalities start again to be processed with their full timely behavior. The strength of this protocol is that to speed up the entering of LO criticality mode, where all jobs can start and being processed. As a result, BP enlarges the duration of the Normal execution mode where all jobs can be processed with their full timely behaviour but still abandons LO jobs released during the execution of high criticality execution modes. Furthermore, BP allows to LO jobs released in Normal mode to continue to execute in Bailout and Recovery modes, even after their deadline as long as they do not exceed their CLO.

The main weakness of BP is that to immediately drop low-critical instances after a HI job overruns its CLO. Because of this, the percentage of LO jobs

that miss their deadlines is still high. In the whole, abandoning lower critical- ity instances in case of resource shortage does not give the robustness required since some level for LO services should be maintained as they are still important for mission completion. There are two complementary strategies that help to reduce the number of times that a given system enters into Bailout mode, and the amount of time that it spends in such mode, hence reducing the number of LO instances that miss their deadlines or are abandoned. An approach to increase the amount of jobs scheduled was introduced by Santy et al [86]. Burns and Baruah have further refined it and adapted it to work with mixed-criticality protocols [75]. Such method exploits the system slack time by scaling up the CLO

of HI tasks without making the system unschedulable. This method effectively increases the execution time budgets while ensuring that the system remains provably schedulable according to AMC-rtb analysis [69]. If used together with the BP, the resulting protocol is named Bailout Protocol - Slack (BPS). More recently, Bate et al. have also integrated BP with a second complementary tech-

nique [17]. Such approach consists of an online update of the optimistic time budget that is made by exploiting the CPU spare capacity at runtime. These techniques allow to reduce both the number of times and the duration the system executes in HI modes. The most important property of any scheme for exploiting gain time is that the schedulability of HI tasks must not be affected. A number of mechanisms exist that can make this gain time available for use by other jobs without affecting the schedulability. The method used with BP operates only during the Normal mode and the gain time gi of a LO job ji is defined as follows:

gi = CLO − et(ji) (3.1)

Passing the gain time from one job to the successive makes less likely that jobs requiring more computing time than expected will actually exceed their CLO

budgets. On one side this increases the probability that LO jobs complete suc- cessfully instead of being dropped. On the other hand, it makes less likely that the system enters the Bailout mode because of the HI jobs overrruns. It is worth to note that in Bailout mode, the gain time mechanism is not used, since the BP effectively makes use of gain time to hasten recovery. The Bailout Protocol with Gain time (BPG) is derived from the integration of BP with the gain time collection at runtime. By combining simultaneously both complementary meth- ods with BP, the authors have also introduced the Bailout Protocol - Slack and Gain Time (BPSG). The benefit of using such complementary techniques results in the increase of the overall service quality for lower critical tasks, provided by increasing the number of LO task instances correctly processed.